Frankly, Dropbox’s security attributes of have been a moving target as of late. That’s not necessarily a bad thing for the wildly-popular service, used by more than 25 million people, but it is important that advisers take a close look at how Dropbox communicates regarding its security.

Is It Secure?

I won’t rehash the details of recent controversy over Dropbox’s changes to its statements on security here, but I do want to direct you to a resource that I feel fairly addresses the situation.

Over at TechRepublic, IT consultant Michael Kassner posted an interview with ChenLi Wang of Dropbox’s Business Operations. Read Kassner’s post to gain perspective on Dropbox’s changes to its security statements and how they apply to its users. Click the link below to read it first, then come back and continue reading this post.

Security Discussion

Flickr: Grey Wind

Now that you have some background on the issue, let’s address security from the financial adviser’s perspective.

Without question, financial advisers collect and maintain personally identifiable information (PII) on clients in order to deliver financial advisory services. Both FINRA and the SEC have requirements in place that FINRA member firms and registered advisers must follow. SEC Regulation S-P, Privacy of Consumer Financial Information, is the primary rule by which advisers must abide to address the protection of client information and records.

With respect to Dropbox, what must advisers do to abide by the requirements?

If you operate under FINRA, you must first ask your broker-dealer’s compliance department what your options are when considering the use of cloud-based applications, including Dropbox. It’s likely your broker-dealer has performed due diligence on a select number of providers which likely include vendors of cloud-based CRM, portfolio management software, financial planning, and document management applications.

Empirically, some broker-dealers have approved the use of services like Dropbox for their registered representatives, while others prohibit its use. So I cannot provide specific guidance for those of you affiliated with a broker-dealer; check with them first.

If you are an SEC or state-registered investment adviser, you must have written policies and procedures in place that address the steps you follow to protect client information. If you elect to use Dropbox, document the steps you take that are designed to (taken directly from Reg S-P):

(i) insure the security and confidentiality of customer records and information;

(ii) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and

(iii) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.

From Kassner’s post highlighted earlier, Dropbox acknowledges that, in “rare circumstances,” a “small number of employees” are able to access user data according to the provisions in Dropbox’s privacy policy (e.g., when legally required to do so). Aside from the rare circumstances, Dropbox’s Wang went on to say:

We have strict policy and technical access controls that prohibit employee access except in these rare circumstances. In addition, we employ a number of physical and electronic security measures to protect user information from unauthorized access.

So let me challenge you, the adviser, with this question: What steps do you have in place to insure the security of client information stored on other web-based services? Have you performed similar due diligence on your CRM provider, online financial planning software, or even your online e-newsletter service? If you feel those services adequately protect the security of client information, how does that align with your confidence in Dropbox’s ability to provide similar protection?

Encryption

Before concluding this post, let’s briefly address the option of using additional encryption. To better protect client information, records can be encrypted using third-party applications before they’re transferred to web-based services like Dropbox (though I know of no methods advisers can use to encrypt client data stored in, say, web-based CRM. Does that make it more vulnerable?).

Remember, Dropbox stated, “all files stored on Dropbox servers are encrypted (AES 256).” Is it necessary to add yet another layer of encryption to files stored on Dropbox? Perhaps. If additional encryption is applied to documents stored on Dropbox, even if the “small number” of Dropbox employees access files legally under “rare circumstances,” all they will see are encrypted files with no meaningful data.

So, yes, the use of third-party encryption such as TrueCrypt, SecretSync, and others mentioned in Kassner’s post, does add an additional layer of obfuscation to protect against information access by Dropbox employees. But does that mean it is required to comply with regulatory requirements?

I believe the answer is no.

Files are already stored encrypted on Dropbox. There’s a reasonable expectation that the files will remain protected from unauthorized access. Assuming select Dropbox employees do access stored files, citing the legal requirement to do so, that access is likely to be authorized, as it is in response to a request from law enforcement. If this were to happen to you, you probably would have more to be concerned about than Dropbox decrypting your files and providing them to law enforcement.

Best Practices

Let me close with what I believe to be best practices for the use of cloud-based storage services, including Dropbox.

If you’re a FINRA member, check with your broker-dealer’s compliance department before using any web-based service. Obtain approval before storing any client information on such services. Also, document your policies and procedures regarding the steps you take to protect client data when using web-based applications.

If you’re an independent registered investment adviser, document the policies and procedures you employ to protect client data when using any web-based service. For added protection, you may optionally apply third-party encryption where applicable, but I believe it is not a requirement to comply with SEC Regulation S-P rules.

Do you have practical information with respect to these best practices? Perhaps your broker-dealer has raised issues on web-based services that are not included here. Please leave comments and feedback below to help clarify what advisers need to do to protect client data stored in cloud-based services.

Full Disclosure: I use Dropbox every day; it significantly simplifies my life. I store both personal and company files on the service. However, I am neither SEC or state-registered nor am I a FINRA member.

For those files that contain private or sensitive information, like social security numbers and bank account numbers, I add individual file password protection. All of these files are in PDF format, so I use Adobe Acrobat to encrypt all document contents with 256-bit AES and require a password to open the document.

Even Adobe PDF document passwords are not a 100% guarantee against unauthorized access. No password-based security system is. But with a combination of mixed case, numbers, and punctuation, the time required to apply a brute-force attack to crack the password may deter unauthorized users from an attempt, and instead seek out more vulnerable targets for an attack. I feel that this level of protection is adequate for my personal situation and acknowledge that the benefits of using web-based services like Dropbox are compelling enough to accept the risk trade-off. Your situation may dictate different considerations.

14 Responses to “Dropbox for Financial Advisers: Is it Safe? Secure?”

One concern I have with Dropbox is that files are not scanned for viruses. We have gotten a virus twice in the last couple of months, and if we were using dropbox, and put a file in a shared folder, the virus could easily transmit to our client’s computer.

Alan,
You are right to be concerned about viruses and the potential for transmission when using shared folders in Dropbox (or any shared folder synchronization service for that matter).
The easy answer is to direct you to the lengthy discussion forum on Dropbox’s website: http://forums.dropbox.com/topic.php?id=5170
To summarize the forum discussion, users must take adequate steps to configure antivirus software on each computer connected to the Dropbox service.
Files in shared folders will not automatically execute after they are synchronized to a new machine, so antivirus software has the opportunity to run and intercept the infected file prior to its opening.
Still, I think there’s more vulnerability in using out-of-date Internet browsers and Flash than sharing a folder with another user.
Do others want to chime in?

I commend you for tackling this difficult issue. You make some great points in your article.

I use encrypted disk images, which can be created in the Mac’s disk utility program, for encrypting client data. I create an encrypted disk image for each client. Before I can see files related to a client, I have to type in a password to decrypt the disk image. When I want to encrypt the client data again, I eject the disk image. The encrypted file then gets sent to the Dropbox servers.

Perhaps you are right and I don’t need to use this process because Dropbox is sufficiently protecting my data. However, since I have this client data on a laptop, I feel that encrypting my data is important. In the event my laptop is stolen, I know that my client data is still secure.

Another thing to think about is security if a financial planner does not encrypt client data and that planner uses the Dropbox app on a smartphone or tablet. If these devices are lost or stolen, client information could be compromised. A four-digit passcode on an iPad and iPhone is likely not too secure.

So, there may be reasons to encrypt client data even if it isn’t required for protection of the data on the Dropbox servers.

My comments do nothing to refute your analysis regarding the Dropbox servers. I was never quite sure how secure the Dropbox servers were, so I really appreciated seeing your analysis.

Thank you for sharing the technique you use to encrypt data on your Mac. It’s important to note that since client data is stored on your laptop, you’ve taken the necessary steps to protect that data with encryption. All advisors using laptops containing client data need to implement the same measures, regardless of whether or not services like Dropbox are used.

For mobile devices and tablet computers, advisors need to understand their device’s ability to encrypt data stored locally. That includes files retrieved through Dropbox apps as you said, but it even applies to names, addresses, and phone numbers in the device’s Contacts app.

One good feature of the Dropbox app for iPad/iPhone is the ability to set a four-digit passcode to launch the app. Also, the Dropbox app can be set to erase all Dropbox data on the iPad after 10 failed passcode attempts.

Devices running iOS support both the four-digit passcode as well as a longer, alpha-numeric password. Applying a strong password on the device is a best practice. Devices running Android OS support lock patterns, PINs, and strong passwords.

Thank you for your comment. I’m considering highlighting Dropbox plus a few other cloud-based document storage and synchronization services for upcoming columns, either for Morningstar or for the Journal of Financial Planning.

Drop is surely NOT compliant for FINRA firms who want to meet SEC books and records regulation such as the 17a-4 retention rules.

Because, anyone can delete files anytime that are stored in dropbox, this is simply the problem, their is no actual long-term retention built into it.

So if FINRA comes in and says they want to see all documents from last year and you say you are using drop box to store data, they will say – how do we know you have not deleted records that you did not want us to see.

And becuase of this, dropbox cannot act as the D3P. So FINRA firms need to use another add on, like advisorvault to run every night, go into dropbox and copy data to a non-rewriteable format and retain if for 7 years.

As an added measure of drop box security, you could use a data masking tool for files like IRI FieldShield (or Excel spreadsheets like IRI CellShield) to apply one or more additional protection functions (like masking, pseudonymization, or encryption) to specific columns. Thus when the entire file is decrypted for any reason, there are still several more additional levels of security in place (one per field, reversible or not).

Thanks for this, Bill! Very helpful as I’m in the early months of running my state-registered firm. I find that having a lot of paper files is its own kind of security risk (on several levels), so I’m hoping to make my doc storage all cloud-based. This answered many of my questions!